Meeting the new challenges presented by the Internet of Things.
It wasn’t so long ago that ‘personal data security’ meant shredding financial information and memorising your PIN. Fast-forward a decade and it has become necessary to share our sensitive data far and wide just to complete daily tasks.
Increasingly smarter, faster and more responsive, our physical world has begun merging with the digital. Smart cities monitor Clean Air Zones and congestion; industry is booming with internet-enabled plant machinery and our homes are packed with smart devices from doorbells to white goods. In fact, there are already more connected devices than there are people on earth.
What is the Internet of Things? (IoT)
From light bulbs to jet engines, the Internet of Things refers to the billions of physical technological devices that connect to the internet, collecting and sharing often sensitive data – with no need for human interaction.
The term broadly describes devices that you wouldn’t usually expect to have this connectivity, such as a plug or a watch. The rapid growth of these innovations is the result of falling prices of sensors, RFID and semiconductor chips along with the widespread availability of the internet. The adoption of IPv6 has provided more IP addresses than we will ever need and cost-effectiveness has seen us become an internet-driven society.
When it comes to controlling our devices and accessing information at speed, our technology has been designed for maximum convenience. Building automation is the fast-growing sector. Voice-activated lighting, smart plugs and intelligent heating systems are all becoming commonplace along with the installation of smart meters by our utilities companies. Increasingly affordable Wi-Fi cameras secure our homes and the demand for smart speakers continues to soar. Even everyday household goods are connected, hoovers, dishwashers and refrigerators.
How big is the Internet of Things?
According to Statista, there are currently 35.82 billion Internet of Things devices, globally. Today, the average Briton has access to nine connected devices. It is projected that the total number of the IoT will more than double, reaching 75.44 bn by 2025 – exhibiting an annual CAGR of almost 25%. With the technology industry growth and the changing societal behaviours of 2020, it is anticipated that this figure may be higher.
What is the industrial IoT?
Almost everything electronic has become measurable. Accurate real-time data gives businesses far greater insight and agility, helping them improve products and internal systems, maximising efficiencies and streamlining processes.
The industrial Internet of Things (IIoT) has become known as the fourth industrial revolution or Industry 4.0. AI and machine-to-machine technologies deliver manufacturing precision and the ability to analyse and optimise performance to increase responsiveness and productivity whilst reducing operating costs.
Unfortunately, despite the considerable benefits and the technological advances, the Internet of Things does not have the security we have come to expect as standard. Our thirst for data and the associated benefits has meant that this is often overlooked.
Manufacturers have appeared to give little thought to the security basics, such as encrypting data during transit or at rest. In fact, many IoT devices were not designed to receive updates. Technology moves fast but the lifecycles of these devices mean that they are likely to remain in use in 10-15 years. With no means of implementing patches, businesses are left open and at risk.
Can the IoT enable a cyber-attack?
Connecting industrial machinery to the network poses a risk of industrial espionage or strikes on critical systems for political or financial gain. Whilst the financial stakes are high for business, attacks can result in real-world consequences should hackers gain control of power stations, vaccine refrigeration or fuel supplies, as they did in the U.S colonial pipeline in 2020.
With the growth of remote working practices, the cyber criminals honed in on home Wi-Fi routers and web cams, presenting a significant new challenge for IT departments. In addition, due to their inherent low security, the hackers were able to gain access though exposed smart appliances, then progress to the wider network. After all, that smart refrigerator is connected, sending data to a back-up cloud… a cloud that holds more than your reminders to buy milk – it also holds an array of valuable data that could result in a financially devastating breach.
In 2017, LG were forced to update their SmartThinQ app when researchers found they could gain entry and control their smart fridges, dishwashers, ovens and vacuum cleaners via their cloud application. In the same year, global cybersecurity experts, Bitdefender, revealed a massive vulnerability in 175,000 low-cost security cameras from Shenzhen Neo Electronics.
The IoT are easy pickings for the hackers who use them to unite a vast digital army, known as a ‘Botnet’. Used to deploy Distributed Denial of Service attacks, (DDoS), the Botnets flood a website with requests so it crashes. In February 2020, Amazon Web Service managed to fend off the largest DDoS attack in history.
Furthermore, the IoT includes equipment that doesn’t connect to the internet but joins to another device via Bluetooth. This accessibility has been responsible for a recent spike in data breaches. In 2020, a cybersecurity expert demonstrated the vulnerability of Bluetooth when he hacked the technologically advanced Telsa Model X in less than 30 seconds. Without stricter enterprise security, it is highly likely we will see some substantial IoT mishaps in the coming years.
How does IoT Security differ from traditional cybersecurity?
In a recent survey of 600 tech decision makers by PSA Certified, 90% agreed that Internet of Things security is highly important today and will be in five years’ time. Yet, most organisations lack a robust IoT cybersecurity program due to the multi-layered nature of this complex ecosystem. Traditional cybersecurity doesn’t take account of diversity of data, range of power and vast ‘attack surface’ of IoT devices. There’s no ‘one size, fits all’ solution; IoT security must include a variety of strategies to mitigate the huge number of vulnerabilities.
Secure all end-points.
Network security should address all types of physical and digital end-points. Segmenting IoT devices into their own micro-network will provide functional access and protect the wider, restricted network. Whereas many Internet of Things technologies do not integrate with antivirus software, a security gateway has greater processing power so can act as an intermediary to implement firewall protection to connecting IoT devices.
The use of a Public Key Infrastructure will facilitate encryption and decryption of private messages; the digital certificates secure connections between multiple devices. The role of PKI is vital for transaction-based ecommerce websites, protecting the data input by the user.
Better design and greater support.
The UK government has announced plans to hold IoT manufacturers and retailers accountable with new laws, which focus on three principles of data governance. Device passwords must be unique and unable to be reset, manufacturers must state the minimum time that they will provide security updates and they must provide a contact to enable vulnerability reporting.
Building tamperproof hardware, providing the most recent OS and releasing firmware updates from the outset of product development is critical when it comes to safeguarding both businesses and consumers alike. In the immediate future, however, buyers can vote with their feet, ensuring that they only purchase from manufacturers offering guaranteed support.
Correct IoT asset disposal.
The data collected by the Internet of Things will grow exponentially with the increasing demand, marketplace and applications. The availability of cheap, power-efficient processors has seen the IoT become disposable commodities. Despite GDPR legislation encompassing the IoT and government mandates on the circular economy, many organisations don’t have an IT asset disposal policy for these unpatched legacy devices.
ITAD services have responded quickly, embracing the challenges presented by the IoT assets that have been silently gathering data for years. Many large organisations have previously performed the data erasure function in-house, prior to shipping the redundant IT assets to their ITAD partner for disposal. But today, this represents one of the biggest challenges in data governance.
Due to the fragmentation of the operating systems used, it is exceptionally difficult for IT teams to protect company data in this way. No in-house software tool is capable of addressing the vast magnitude of the Internet of Things to guarantee complete destruction of files, encryption keys and even Wi-Fi passwords. The latter can be all a hacker requires. As they are built with basic processors, the batteries in these end of life IT assets no longer have the reserves to run the software of remote data wiping services. A further complication to asset disposal is the batteries themselves, which are regulated by the WEEE legislation.
CISO and CIO’s understand the importance of data destruction and IT asset disposal of their redundant IT equipment. However, there is also a responsibility to do so in an environmentally friendly ITAD manner. Contributing to the circular economy, an ITAD supplier can identify components with residual value so the device can be recycled and remanufactured. Their zero-landfill policies prevent vast qualities of e-waste, annually.
The Internet of Things is of increasing importance to enterprises and industry alike, enhancing communication, productivity, industry advancements and enabling business growth – However, it presents significant data security challenges, which we cannot ignore.
Whilst policymakers plan to demand responsible manufacturing and security support in the future, steps should be taken now to mitigate the immediate risk. All forms of IoT devices connected to the corporate network should be isolated via gateways, data encryption and retired assets should be securely erased and recycled by professional data erasure services that can ensure an ITAD chain of custody.
To meet the new cybersecurity challenges, CISO’s and CIO’s must consider a complete IoT lifecycle approach to ensure that the bridge between the physical and the digital doesn’t provide access to the cyber-criminals.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.
Zdnet; Gartner, Paloalto Networks, The Internet of Things Agenda, The Thales Group, CDR Global, The BBC, Mainstream Global, Rethink Research, Statista, Globe News Wire, The Telegraph, PSA Certified, findstack.com,